Can you keep a secret?

Privacy must be given a much higher priority by firms and individuals if we are to avoid more examples of data loss, says Nigel Jones.

Next month marks the anniversary of the loss of more than 25 million citizens’ personal data by HM Revenue and Customs (HMRC), and we continue to see examples of data loss. In the past year, the DVLA has lost 6,000 people’s personal details. HSBC, Nationwide and Standard Life have also reported the loss of more than a million customers’ banking information.

So what can be done to safeguard our valuable data? First, we can use technology to protect our computer systems. Second, we need to be more vigilant about giving out sensitive data; we often relinquish information online without questioning how it will be used.

My work with the government’s Cyber Security Knowledge Transfer Network (KTN) has started to set the case for designing privacy functions within information and IT systems at the start of the project. We strongly advise that privacy technologies cannot be ‘bolted on’ at the end of software design. Organisations and businesses must commit to protecting their customers’ privacy upfront.

Our research has found that privacy requirements must be fed in at four stages of software design — initiation, planning, execution and system decommissioning.

At initiation, the designer should have an idea of what the project will entail, and what assets, such as sensitive data, will be involved, introduced or addressed by it. For example, the owner must be aware of privacy laws and regulations, such as the EU Data Protection Directive or the US Safe Harbour agreement.

The planning stage enables the owner to develop detailed requirements. The privacy requirements at this stage must be just as definitive. Mechanisms such as encryption will be proposed to protect, for example, consumer and client data on storage media.

During the execution phase, problems relating to privacy must again be identified. The project owner should be made aware of these prior to the project ‘going live’, and should sign off any privacy-related issues that have been raised by the project.

Privacy must finally be addressed at system decommissioning. This must happen at the beginning, not the end, and should involve secure deletion of data from computer media before disposal, or destruction of paper records before vacating buildings.

Technology can help protect our privacy, but even the most sophisticated software-engineered security system can be seriously undermined — by human beings.

People are willing to risk their privacy by giving away personal data too easily for two reasons. First, there are the perceived benefits of buying products online, often with some form of discount available on electronic purchases only. Second, people do not place a financial value on their data the way they would with their personal items, and this is incorrect. If people realise the financial value of their personal information on the black market is more valuable than their computer, they would be more careful. We all need to be more protective of keeping our personal details, such as PIN numbers and online banking details, safe.

Privacy violation is rife in the workplace as well, but this can be minimised by motivating staff responsible for monitoring and maintaining privacy systems. Leading IT economists have found that computer security systems often fail because people who maintain them sometimes lack the drive to keep IT security networks up to speed. Managers must play an important role by liaising with staff.

They also need to emphasise that the data they protect is as valuable as their own personal banking details. Staff should look after other people’s data as if it was something of monetary value in their own home.

To grow privacy as a priority for every employee, businesses should stop delegating responsibility to junior members of staff. It is a board-level issue, and should be the duty of a senior decision maker.

An event taking place in London next month, A Fine Balance 2008, will look at the challenges faced by organisations that are using privacy enhancing technologies in practice. It will be attended by leading representatives from Microsoft, IBM Research, Department for Transport, and four of the government’s Knowledge Transfer Networks working in privacy research.

We all need to work harder to protect privacy, whether we work for government, academia or industry. The challenge is striking a balance between using technology, educating people about the true value of their data, and employing common sense to avoid privacy breaches such as HRMC’s incident last year. Let us not mark another significant data loss anniversary this time next year.

Nigel Jones is the director of the Cyber Security Knowledge Transfer Network, an independent, business-focused network, funded by government as an advisory body for issues related to e-crime and information security